Canadian Cyber Security Journal
SOCIAL:
Filed under: Featured, TechTalk

SharePoint CVE-2026-45659 Under Active Attack With a July 4 Federal Deadline — What Canadian Organizations Must Do Now

What Happened

CISA added CVE-2026-45659, a remote code execution flaw in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities catalog on July 1 after confirming active exploitation. The vulnerability stems from deserialization of untrusted data and carries a CVSS score of 8.8. An authenticated attacker holding nothing more than Site Member permissions is able to execute arbitrary code on the server in a low-complexity attack with no user interaction. Microsoft patched the flaw in May 2026 for SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016.

The KEV listing carries an unusually tight remediation deadline of July 4, three days after publication. Notably, Microsoft assessed exploitation of this flaw as “less likely” at patch time. Attackers disagreed.

Why This Matters for Canadian Organizations

On-premises SharePoint remains deeply embedded across Canadian federal departments, provincial agencies, municipalities, universities, hospitals, and regulated enterprises, often hosting the exact document repositories an attacker wants. The authentication requirement offers thin comfort. Site Member is one of the lowest permission tiers in SharePoint, and phished or sprayed credentials from any single user meet the bar. Last year’s wave of SharePoint exploitation showed how quickly deserialization flaws convert into web shells and full server takeover.

A compromised SharePoint server holding personal information triggers breach assessment and notification obligations under PIPEDA, and federally regulated financial institutions carry OSFI B-13 expectations for timely patching of exploited vulnerabilities. The three-day US federal deadline is a useful benchmark for Canadian patch urgency.

What to Do

Apply the May 2026 SharePoint security updates immediately if you have not already. Treat the CISA deadline as your own. Review IIS and SharePoint ULS logs for signs of deserialization abuse or unexpected process creation since May, and audit accounts holding Site Member access or higher for credential hygiene and MFA coverage. Organizations unable to patch immediately should restrict server reachability to trusted networks.

Read the full report at BleepingComputer.

Enjoy this article? Don’t forget to share.